2009-08-30

My Wife's EnV Touch has a 1/8" jack, higher-res webcam with auto-focus, a better browser and a few other features I really wish this one had. I'm just not a fan of touch-screen phones.

I'm not sure why they went with the dinky 1/16" jack on the Env3, and I'm getting tired of using whatever 1/16" stereo headphones I can find with all of my phones. I want to use whatever headphones are laying around! All of the 1/16" adapters I've found only have 3 contacts, which means they don't quite line up right with the 4-contact jack (Common, left, right, and microphone) found on many mobile phones and result in only getting one of the two stereo channels. This isn't acceptable to me. I needed something better.

I gutted a portable DVD player that broke, and un-soldered a headphone jack. I also scavenged some other parts from it for later, such as the speakers, various two-color LEDs, switches and a few SMT components.

I also found a stereo mobile phone headset in a parking lot a few weeks back. The headphones had been run over and are useless. I cut them off, then soldered the new headphone jack to the wires. Common (usually plain copper color) goes to the highest ring. Left and right go to the other ring and the tip respectively. Or maybe I have left and right reversed. I'm not one to care.

I used heat shrink tubing to hold the entire assembly together. The end result still has a microphone built in, so I can now use any 1/8" headphone as a stereo headset with my new phone.

Total cost: $0.00. The entire thing was built from junk parts and expendable materials I had laying around, such as shrink tube and solder. I'm pretty sure this will find its way to There, I Fixed It.

We are testing a new commenting engine powered by Disqus. All the old comments should remain on the site, but going forward, Disqus will handle the discussions.

This means that Blogger's relatively anemic commenting system gets gutted and replaced with a shiny new toy that allows threaded discussion and a bunch of other goodies. It seems to be working just fine, so take it for a spin and let us know what you think. You do not need to sign up for any services (even OpenID) to leave comments. Signing up for Disqus will allow you to edit your posts and interact with other commenters on many sites that use it though.

I've once again gotten a new phone, and once again had to hack it for tethering. I picked up the LG Env3 (like I'd planned on) while my wife scored the touch-screen version. I'm afraid I'd break the large touch-screen, but I've managed to hack them both into submission, and my Co-worker's LG Dare as well. At this next meeting, I'll go over what you need to change and why it matters. This will focus on 3G/CDMA/EV-DO networks such as VZW and Sprint, and will use LG Phones for the demonstrations.

Also, thanks to a tip from STRSHR (one of our readers and commenters), I've gotten my mitts on Piranha 2, an OpenWRT/Jasager-based firmware upgrade for La Fonera routers, which adds a few other goodies right out of the box. I think you'll like it.

I'll cover both of these topics in detailed posts sometime in September, but for now, you'll have to come out and see them live at the September KC2600 meeting if you're in the area. As always, we'll have other things up for discussion, followed by a good meal and maybe a little bit of a dive into the old Magic Dumpster™, weather permitting. Come out and join us!

2009-08-21

I made an observation a few days ago. Ever since Randall Munroe passed 400 xkcd comics, it's pretty hard to run across a situation or discussion where you can't drop in a relevant link to one or more of them and seem to be staying on topic.

This, of course, requires a little bit of knowledge of past cartoons and possibly what they were named or some of the text within.

All of this got me thinking about The New Hacker's Dictionary, Which is an old, old piece of work, the most recent edition released in 1996. It's basically Eric Raymond's "Jargon File" with some Crunchly illustrations from Guy L. Steele, Jr -- a.k.a. The Great Quux. -- of course, now all that content has been html-ified and all the other fun stuff from the book has been added to ESR's online Jargon resource.

Crunchly was basically then what xkcd is now. Except we didn't have the web back then. And by "back then" I'm talking about the 1970s, therefore by "we" I'm talking about you old people, because I was born in '79.

Check it. Probably have to click for full resolution to read the frames. I wish I knew where to find more, but this site seems to have the most complete archive (and it's not too many)

Note, GLS often participates in Burma-Shave -esque verse and other wordplay in the background of Crunchly's monologues. Not much different than the mouse-over easter eggs on xkcd.

2009-08-15

Ever hear a song on the radio, but don't know who does it or what the name of the song is? Take note of the station you were tuned in to, and what time you heard it. Then when you get a chance, go to Yes.com. Hammer in the callsign for almost any commercial FM radio station in the US, and you can go back in time for about a week and get an hour-by-hour list of what was played. This doesn't work so well for live shows and certain simulcast/syndicated content.

Also, The Stream Center keeps an up-to-date list of Internet Radio Streams for most commercial radio stations that have them. You can browse by state or enter a radio call-sign. That means you aren't stuck using the craptastic web-based player many stations provide, and the hard work of reverse-engineering the website or network traffic to find the stream has already been done for you. Click. Play. Enjoy having access to radio stations around the world in your favorite music player.

Now, if you'll pardon me, I'm going to get back to using Exaile with the Streamripper! plugin to listen to and archive tonight's episode of Liquid Buzz, which is probably the only weekly electronic music show in Kansas City worth listening to, if not the only one in Kansas City, period.

2009-08-13

A friend of mine encountered a problem where all the storage vanished from the system while he still had a root shell. He needed to reboot, but could not do it any traditional way, because "reboot" "init" and most other commands were all on the no-longer-mounted filesystem.

I have a bunch of little shell gems written down in my notebook. Some of them are "things you can do with only shell built-in commands". Built-in commands also come in handy when your system is completely cratered, for example, by a fork bomb. Ever see this? It's usually the harbinger of bad news.

axon@silence:~$ ps-bash: fork: Resource temporarily unavailable

Some of the following may work in other operating systems with modification.The basicsls:One of the first things you'll probably want to be able to do is list files. Since "cd" is a built-in as well, you can navigate. You can use the old standby "echo *" - it will barf out a list of files in the current directory. You can even alias it.alias ls="echo *"

cat:You'll need to create a shell function, but if you use built-ins wisely, you can create a "cat" clone that will dump files out by reading and echoing one line at a time until the end-of-file. I have this written down, but I apparently found it on some web discussion board years ago. You can name the function "cat" so that it doesn't even try to use /bin/cat anymore.cat() { while IFS="" read l ; do echo "$l" ; done < $1 ; }

Use /proc!Once we have a "cat" and "ls" replacement, we can poke around in /proc to our heart's content to get information about what is wrong. Don't ignore informative treasures such as /proc/meminfo and files in /proc/sys for example. Everything you find in /proc has the potential to help you investigate what went south. Here are some of my favorite tricks for using /proc:

ps: This is REALLY UGLY and just plain ghetto. But it will tell you what pid belongs to what. Note, you'll have to have the "cat" function above defined. If you want to decode all the info, look at the /proc/[number]/stat section of the proc(5) man page.ps() { for line in /proc/*/stat; do cat $line; done }kill:This is a builtin of most shells including bash... No special tricks needed. You can TRY to kill things now that you have a ghetto "ps" replacement. If you have a fork-bomb, you'll have to fight pretty hard to get anywhere.kill -[signal] [pid]

Last ditch effortsreboot:One can force a reboot using the "echo" builtin and sysrq kernel calls, but SysRq has to be compiled into the kernel, it is with Ubuntu. This was the eventual solution to my friend's almost-unusable system at the beginning of this post, since all other hope was lost.

The following will enable SysRq, then send the "boot" command (equivalent to pressing alt-prtscr-b on the console)echo 1 > /proc/sys/kernel/sysrq; echo b > /proc/sysrq-triggerexec:Exec [command] will almost always work, but you only get one shot at it, since it replaces the shell with whatever you call. If you waste it on something that doesn't recover the system, you'll lose your shell at the same time. Best to use this on "reboot" or similar.exec /sbin/reboot

Have any other must-know commands to weasel your way out of a nearly-deadlocked system? Let us know in the comments! I am always looking for nifty shell recipes like this to jot down for a rainy day.

2009-08-09

Okay, so maybe I was looking for any excuse to embed this hilarious Strongbad Email clip -- which is kind of an inside joke among certain geek cliques including the writers here at HiR.

Music gets me through the day, and while the kind of "techno" above doesn't actually get my motor going, I figured I'd share some links to stuff I listen to whilst hacking, coding, squashing bugs and herding wayward sysadmins.

Glitch.FM - Recently founded by DefCon and i-Hacked favorite DJ Great Scott, Glitch offers a solid variety of electronic music styles throughout the day.

Philosomatika - Focusing almost exclusively on dark, organic Goa/Psy-Trance, Philosomatika will either make you very nervous or very focused. Sometimes both.

Somafm - Bringing you several different channels, not all electronic. My fave: Tag's Trip

AfterhoursDJs - Full DJ sets, 24 hours a day. Focuses mostly on trance, but you'll find plenty of breakbeat and house as well.

Maybe I'm a bit biased here. I usually listen to electronic stuff without too many vocals while I'm trying to focus. Does music help you? What are you listening to?

2009-08-07

First comment on this post gets a Google Voice invite. I'd prefer if you don't already have a GVoice account, but whatever. I will need an email address to send it to or some other way (twitter? IRC? AIM?) to send you the invite code.

2009-08-06

I threw together this video of my Vegas trip. It's a bunch of photos (sorry for all the Ken Burns zooms) and some video clips from DefCon 17 in Las Vegas. I took almost all of these, but owe a tip of the hat to Dan Spisak as well as Axel Taferner & Amber Baldet for some of these, because they captured some things at DefCon I missed. Check out their photo streams as well.

This was my 6th time going to DefCon in the last 11 years. I tried to capture the spirit of DefCon with this. I feel this video represents the things you can expect to see there.

I hope to make it out there again next year, and hopefully I can bring my wife along!

2009-08-04

No, not really. It is about time for a new phone, though. My two-year subsidized phone contract is up in a few weeks, and not a moment too soon. I've had a great run of things with my 2nd Generation LG Chocolate VX8550. But it's showing signs of being on its last legs and it's gotten pretty beat up the past few years.

Mine is on the left. My wife's is on the right. Nicks, scratches, a non-working soft-button... Yeah, I am kind of rough on my phones. All that bicycle riding, dumpster diving, and setting the phone down on concrete takes its toll...

When asking for advice on what new phone to get, I put forth the following requirements

Tethering ability (even if it's under-the-radar like I do with my Chocolate)

I'd really like a qwerty keyboard, not required though.

Affordable. Like under $100 after renewing my plan.

I wouldn't mind if it can play music or take photos as long as it supports microSD cards, but even those features, I don't really need. I need a Kia of the phone world. Something minimalist. I do not want a smart phone.

Then, it seems the entire world is out to tell me how awesome smart phones are and decide to chastize me for my adamant stance of not needing one. In essence, these folks are preaching about how practical their Ferraris of the phone world are.

The thing is, I carry my laptop most everywhere I absolutely need a computer. Until I can buy a phone that's got 200GB of storage, Wifi AND 3G (or equivalent), and can do some pretty solid web browsing, SSH, and things like that, I really can't justify replacing my laptop with a phone. Therefore, it makes little sense to overlap functionality while spending a lot more on a phone than I need to.

So, I'll put the call out to you, our readers, who might be somewhat enlightened. You might actually understand I want just a phone with a WAP browser, tethering, and maybe a qwerty keyboard, something that I can score for under $100 and use on Verizon's network. I kind of have my eyes on the LG EnV3 (shown left)

Also, you're more than welcome donate a VZW-compatible smart-phone to me if you really, really think I absolutely must be converted. You won't find me bankrolling your experiment, though. I'll do my best to go about my daily grind while using it, and try hard not to completely destroy it. Note: I've busted a few touch-screens in my day. Things like BB Storm wouldn't stand a chance with me.

2009-08-03

It's Monday, and I'm surprisingly spry considering the weekend I had. It might have something to do with the Infosec recharge I got. I'll let Asmodian X put together his own thoughts, as we rarely were at the same events and talks, for good reason. There were a lot of great talks overlapping one nother! I can't possibly upload every photo I took, so I'll just post a few here, and I'll make a slide show video later on when I have time.ThursdayDue to family matters, I had to hit the airport a whopping FOUR hours before my 6:40AM flight to Las Vegas via Denver International. That meant leaving home around 2:00 AM Thursday. This would pretty much set the pace for the weekend.

Dawn takeoff from MCI

I arrived at McCarran International a little after 9:00 AM and waited for Tom and his wife to show up. We rented a limo to get to our respective hotels. Yeah, we could have caught a cab. We should've, actually. But hey, it's Vegas.

I found out my roommates at Circus Circus wouldn't be in town for quite a while, so I spent most of Thursday dragging everything around with me.

I dropped by a few of Thursday's talks, but didn't stay through any of them. Lee Kushner was giving a similar "Infosec career" talk to the one I heard last year, the Intro to lockpicking was just that: an intro, and the talk on FPGAs was half-way finished and over my head by the time I got to it. The Apple TV talk/demo seemed like it would be interesting... if you have an Apple TV. I don't have one, nor do I even intend to. DefCon 101 and Defense? After attending DefCon for 11 years off and on, I didn't feel compelled to check them out. Yes, I'm elitist like that.

Actually, I just wanted a place to set my bags down and veg and an excuse to do it without feeling like I'm wasting half a day worth of talks to check out. That meant that after I got the badges and swung through some of the talks, I spent most of my time in the Chillout room at the Riv, messing with people.

I had Evil Wifi up and running pretty much everywhere on Thursday and determined a few things:1) 6x 1.2v/2650mAh NiMH batteries run the Fonera for well over 4 hours2) La Fonera WILL overheat and lock up after an hour or so in a backpack3) There are a lot of suckers at airports. Even at 5:00 AM at Kansas City International.4) There are even more suckers at DefCon. I snarfed well over 1,000 Session IDs and cookies from more than 100 people at DefCon on Thursday alone. The wall of sheep has nothing on me.

Before: Jasager overheating in the backpack at McCarren International Airport.

After: Jasager lashed to the outside of the backpack so it can breathe.

I got accused of "DoSing the wireless" by a pair of perplexed kids who couldn't get onto their MySpace or something, but the fact was I had blacklisted the DefCon and DefConA network from Jasager, so they had tried joining something else. They were probably just angry at getting schooled. At no point did I re-use any of the session IDs, but it was fun to go back and look at the gigantic list of accounts I could've potentially laid to waste. This is DEFCON, folks. Wise up.

Thursday Night, several of us pooled our funds and rented a tandem-axle F650 Limo to get to Toxic BBQ. At the end of everything, the Limo worked out to $8 per person including the Chauffeur tip.

Just about the polar opposite from the stretch F650, I caught a ride back the Riv on the HackBus with a bunch of other people. This Relic was having a hard time getting moving with all of us on board, but it was a fun ride all the same, if a bit uncomfortable.

After Toxic BBQ, I hung out for a few hours talking to some folks. After Asmodian X landed, we geeked out with the badges for a bit, trying to figure out what all they were up to. I weeded through some of the source code to find some interesting tidbits, but they'd all been spoiled already, as I soon found out.

FridayAfter a quick breakfast at Denny's (it was PACKED), Asmo and I split. I hit the Opening keynote with Joe Grand to learn a little bit more about the badges. Again, it was mostly a "this is why we had to issue paper badges to a bunch of you yesterday" apology session. He also disclosed that next year's badges will likely be using the same processor and development environment as he had to double-order parts this year. This year's badge featured an RGB LED and a microphone. It was cool sitting in the chillout room watching it pulsate to the music! Scroll down to the hardware hacking village section for information about inter-badge communication.[Slides not online yet. Here's a link to Make:Online]

I stuck around for Schneier's Q&A session. Schneier can come off like a know-it-all a-hole sometimes, but he seemed to be quite personable at this session. When you're a polymath such as Schneier, I suppose you're allowed to hold court without too much social backlash, though. As I've been following Schneier's work for quite some time, I can say that the vast majority of the answers to his questions were basically torn from his prior writings. Funny, then, that so many people flooded the room to see his talk while being so clueless about where he stands on most of the issues.[No slides presented. Go read Schneier On Security, as almost all his answers are there.]

The DefCon Security Jam panel was funny, mostly a Fail Rant by a few of the industry's more prominent characters. It was enjoyable for a few good laughs yet unremarkable. I don't have much more to say about it.[No Slides Presented]

Jason Scott from textfiles.com (who STILL archives stuff HiR was writing 12 years ago!) talked about what it's like to be sued for more than two billion (with a B) dollars, and provided sound advice to those who find themselves on the business end of a real life lawsuit. He also differentiated between real lawsuits and silly settlement offers and mundane legal threats. His advice: Talk to your friends, don't be scared, get a lawyer (the EFF is your friend), and don't cave if you think the litigation is unfair.[Slides Not Online Yet]

I tried to get into Johnny Long's talk, Three Point Oh. No slides were to be found, but judging from the Schedule, it was THE talk to see. Given Johnny's story, I'm really hoping the video for this one leaks out to the Internet somewhere. I caught part of "Stealing Profits From Stock Market Spammers" - I had the idea of trying to get the early jump on stock market pump-and-dumps, but since it's hard to tell when they started, it's even harder to tell when to dump them.[Slides Not Online Yet]

On Friday, I noticed that the blue element in my RGB LED wasn't lighting up anymore. I decided to swing by the Hardware Hacking Village to see if anyone had an RGB LED for sale or some spare parts to hack the badge with. I'm glad I showed up when I did, because a crew of hardware hackers was there putting the finishing touches on the DefCon 17 Badge puzzle. In his badge presentation, Joe said that the different badge classes (Human, Speaker, Press, Vendor, Contest, Goon, and Uber) fit together to form a circular disc. From there, you can wire them up over I2C to network them together. With the default firmware, the LEDs will synchronize, which looks pretty cool.

This team gathered badges from volunteers (including a DefCon-supplied Uber for the center) and wired it up in front of a crowd of excited people, including Joe and DT. Talk about timing!

As far as the blue LED goes, Joe Grand told me my battery was dying and that Blue is always the first one to stop responding. I verified it by hooking up the badge to a CR123A I had in the hotel room. Blue came back. Battery life on the DC17 badge: totally lame. Maybe Parallel button cells next year?

Friday night, several of us took a trip across town to the iDefense event, 52 stories in the air offering a fantastic view of Las Vegas at dusk. By the time the open bar shut down, I'd had my fill of partying for the night. Asmo and I called it a night. Some kept partying until well into the morning. I didn't have it in me. I got some shots of Las Vegas from high up, though. I haven't had a view like this since DefCon 9 when we were staying at the Stratosphere. Wait. is that an In-and-Out down there?! NOM NOM NOM!

SaturdayI saw Joe Grand talk about electronic parking meters (just like everyone else). This was somewhat of a derivative of his talk given at InfoSec World 2008, but more focused on one type of device. Methodologies used in hardware hacking were covered in a case-study fashion with some very useful information presented in an entertaining fashion. Definitely check out the link below.[slides and info]

Being a guy who is interested in emergency preparation, I headed over to see Renderman talk about Hackers and Disasters and Personal Survival Preparedness. Unfortunately, both of them were not what I was expecting. Renderman's a great guy, but the talk was too general and diluted. Personal survival preparedness felt like an intro crash-course to situational awareness, once the speaker's computer problems got sorted out. I left early to hit the skyboxes.[You don't need to see the slides]

In skybox 207/208, video from Track 1 was being fed into the monitors. This let me catch the last part of the RFID Mythbusting track (wish I could have caught the whole thing!) and then I watched Adam Savage talk about how Failure affects all of us, how we can embrace failure, how to spot it coming and how to mitigate it before it ruins projects. Adam's a great speaker and seemed to be really enjoying the crowd's energy. It has me wondering if he wasn't disguised, lurking among us prior to his talk.[Adam needs no slides. Adam needs to present at TED sometime.]

I snagged a not-so-quick Chipotle burrito with Chris from Securabit, then enjoyed watching Ricky Lawshae's talk on using TCP/IP sequence prediction to launch replay attacks against electronic prox-card door locks. You need to see the video for this one.[Slides aren't online yet. Wired Article]

Easily the most entertaining presentation of the weekend for me was Sniffing Keystrokes with Voltmeters and Lasers. While voltmeters won't work (you really need a good O-scope), the attacks presented hold merit. One relies on data-to-ground leakage and unique clock frequencies in PS/2 Keyboards that allows you to compare electrical ground to true earth ground. This often discloses keyboard scancodes, but doesn't work on USB keyboards. The other method is a derivative of using lasers and photo-diodes for remote audio surveillance. This builds onto other work on statistical analysis of letter frequency, since each key will make a somewhat unique and repeatable sound when pressed (supposedly), they liken the analysis to a wheel of fortune puzzle.[Slides from a similar presentation at a different convention] (pdf)

I helped set up for the podcaster's meetup after that, and then sat through the broadcast and Q&A Session. That was, as usual, a great time where I got to catch up with a few SecurityTwits.

Afrer that, the i-Hacked/PaulDotCom party took over and DOMINATED. i-Hacked set up a Liquid Sky display (oddly enough, an inch off the ground, give or take, not up in the air, which was a prismatic line-level green laser combined with a fog machine. The end result was a green, eerie swirling plane just off the floor.

I headed over to the Fireside lounge well after midnight to check out the event being put on by HiR's premiere sponsor, Edgeos. I finally caught up with Jay Jacobson (Founder/CEO) and enjoyed a few drinks on the house while chatting it up with a few of Edgeos' other employees. I've got a lot more information about Edgeos for you coming this month. Yes, it's powered by Nessus (and some other slick software) but they've done a great job with the UI, internal scanning engine and private label branding features. I'll stop there and show you some cool stuff in the coming weeks.

I didn't sleep Saturday night at all. A good chunk of my fellow Kansas City hackers were lounging at Kady's after throwing a successfully epic bash, so I kicked it with them and enjoyed a few cups of coffee. At about 4:30, I took off to the airport and made my way homeward.

2009-08-02

It happens, sometimes: your system has a critical failure and you need to access it via a serial port for a true hardware console. Maybe the video card died, maybe there is not a video card. Maybe your system uses LOM and you need to access it. In these and many other cases it is very handy and necessary to have a serial terminal available. For decades most laptops came with regular DE-9 serial ports but now very few still have them. In the effort to remove "legacy" ports and also to slim machines nearly all have gone to only having a couple or more USB ports and relying on adapters to gain access to these older connections. Occasionally, though, running a port over USB causes some compatibility issues.

In cases such as this it might be advisable to use a serial terminal converter. In a large installation with a high grade KVM setup it may be worth while to purchase something like the Raritan AUATC (ASCII Terminal Converter). This will integrate into a large KVM infrastructure and allow an admin to access the serial console via their normal KVM infrastructure. The AUATC is an expensive piece of hardware much of the time. This is fine for critical uses where the ability to administer the machine makes that cost palpable, but this could add almost a third to the cost of many servers just to dedicate an AUATC to it.

Enter the Briel PockeTerm. While this does not offer the finished product like Raritan, nor the KVM integration, it is much less expensive and an open project so that it can be configured as needed to support nearly any serial function. The project is based on the Parallax Propeller platform, also seen on the DefCon 16 badge. The PockeTerm is available in a few flavors, from fully built boards down to bare PCBs, and Vince Briel has published fairly extensive documentation on the device, including schematics, and firmware code. While this is not a turn key device it is significantly less expensive and open to being modified for application specific uses.

This also makes it useful for it's original target- vintage computers. The PockeTerm can be put into a small project enclosure and be paired with a common consumer grade KVM or used with a spare VGA capable monitor and keyboard. Adding the PockeTerm to a small VGA LCD screen and a compact keyboard would create a very portable standalone terminal for use in a data center crash cart and or a other uses where a serial console would be desirable on the go. The PockeTerm would also be very easy to stash in a rack drawer to be ready for use on uncommon situations where having a dedicated terminal converter would be prohibitive.

There are other solutions of this type available, but this one comes from a well known source and has yet to be fully commercialized. Often first run projects are sold at or just above cost to cover the initial setup costs and are more expensive than other projects that have been fonalized and can take advantage of economies of scale.

HiR Featured Columns

HiR Tools

HiR Categories

About HiR

HiR is what happens when 1990s-era e-Zine writers decide to form a blog. Most of us hail from the Great Plains region of the United States.

Ax0n, HiR founder and editor-in-chief is an information security specialist currently working in the luxury goods industry.

Asmodian X joined HiR in December 1997 and currently works as a web developer and SysAdmin in the education industry.

Frogman has been on board since May 1998 and has many technical passions. When not experimenting with obscure hardware, he can be found leaping from one rooftop to the next, making the world his office.

TMiB has also been helping since 1998. Also our resident Physicist and go-to guy for xkcd jokes we don't get, The Man in Black currently works in the Internet industry in an east-coast data center.